NIST to Create New Cybersecurity Framework

The Biden Administration is putting a big focus on cybersecurity. Recently, it tasked NIST with creating a new cybersecurity framework.

Earlier this year, President Biden signed an executive order regarding cybersecurity. In June, after an onslaught of supply chain attacks, the Department of Justice announced that it would treat ransomware attacks as acts of terrorism. Next, Biden would task the FCC with ensuring fair competition by signing another executive order. This one would essentially restore Net Neutrality, something his predecessor repealed. Now the President is tasking the National Institute of Standards and Technology (NIST) with creating a new cybersecurity framework for developers.

NIST frameworks have been used as a guideline for businesses since 2014, but on a voluntary basis. According to a fact sheet, “The approach will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software.” President Biden held a meeting with executives from major tech companies and cyber insurers in August, after which the likes of Microsoft, Google, Travelers, Coalition, Amazon, IBM and more committed to participating in this initiative. The linked fact sheet details which companies are included and what their investment is, whether it be funds or training or both.

There is a key thing to remember here, though, and that’s that the government can’t do it alone. “Our view has long been that it is a combined responsibility of the federal government to put in place clear guidelines, clear best practices, and the private sector to take steps to harden their own cybersecurity,” White House Press Secretary Jen Psaki said during a press briefing when asked whether cybersecurity mandates might be necessary.

The public, private and government sectors all have to work together in this arena, it has to be a complete collaboration and effort if we want to stamp out the onslaught of cybersecurity attacks plaguing the globe. The problem is, the NIST guidelines have long been voluntary, and while the Biden administration is clearly putting a big focus on cybersecurity, without mandates there’s no guarantee these new guidelines will be followed either.

Another factor in the new framework is that guidelines are simply that: guidelines. Many businesses have implemented their own frameworks, creating the inconsistency we see today. So rather than considering this a “new” framework, let’s call it what it is: A revision or re-writing of the original framework. The hope, this time, is that businesses will see these new standardized guidelines and begin to implement the security measures needed to keep up. 

But that’s the real underlying issue here, isn’t it? It’s not just having the framework in place, it’s implementation. We have guidelines for everything in this world, little bendable rules that point us in the right direction as we fumble through life. But there’s nothing saying that those guidelines have to be followed, although it is highly recommended and encouraged to achieve the best possible outcome. The same applies here, having guidelines does not ensure adherence. Legislation is needed, as has been indicated by several members of Congress.

Still, while we wait for the government to get around to this legislation, having something in place to give businesses an idea of what is to come is a good thing. Even if they can’t adhere instantly, they can start the process of protecting their product, their clients, customers, employees, business partners and proprietary information. By doing it in steps, or even phases, the cost can be spread out and the changes done over time, resulting in less disruption to business.

One other takeaway from the meeting that sparked this executive order actually reverts back to the May 12 order around cybersecurity. That order says that the government will eventually require its contractors to implement certain practices. “Because of that order, government will only buy tech products that meet certain cybersecurity standards, which will have a ripple effect across the software industry, in our view, ultimately improving security for all Americans,” Biden said.

Keep your eyes open for that ripple effect. The increase in cyberattacks has governing bodies around the world scrambling to stop them. The U.S. is no different, clearly putting a focus on fighting cybercrime. Hopefully, with a global effort among private and public entities, cybersecurity will eventually disappear from our headlines.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY